How can I protect my Vaultwarden account from brute-force attacks?

How can I protect my server accounts from password brute force?

Bitwarden’s FAQ has such a question and answer (Emails from Bitwarden | Bitwarden Help Center):

How can I protect my Bitwarden account from brute-force attacks?

A: A brute-force attack is when a malicious actor cycles through a combination of weak and short passwords in an attempt to gain access to your account. Bitwarden offers a few ways you can protect yourself from these potential attacks:

  • Have a long and unique master password. Bitwarden requires a 12 character minimum to increase account security.
  • Set up 2FA on all Bitwarden accounts to add an additional layer of security.
  • Bitwarden will require CAPTCHA verification after 9 failed login attempts from an unknown device.

Bitwarden’s website has an article about sending an email when a login attempt fails (Emails from Bitwarden | Bitwarden Help Center):

1. Vaultwarden does not have captcha?
2. Vaultwarden can’t send emails on failed login attempt?

1. Vaultwarden does not have captcha?

We do not indeed, if i’m correct this is not active for self-hosted instances, even the Bitwarden Self-Hosteds).
We do have a rate-limit on this, so that should prevent brute-force attacks.

2. Vaultwarden can’t send emails on failed login attempt?

We currently do not indeed. We do for successful logins from unknown devices.
But this is a nice feature to add, ill put it on the list.


Thank you for your answers.

  1. That’s right, now the limit on the number of login attempts is triggered on failed login attempts.
    What should I specify for LOGIN_RATELIMIT_SECONDS and LOGIN_RATELIMIT_MAX_BURST so that after 10 failed login attempts, the next one will be in 5 minutes?
  2. This is a great option. We hope it will be added soon. Thx.

If i’m correct from the top of my head that would be:
LOGIN_RATELIMIT_MAX_BURST=10 And i set 10 here, but keep in mind that since you use 2FA, which causes the clients to call that endpoint a second time within those 5 minutes.

Also note, we do this for every attempt, not only failed logins, because someone could also try to use invalid logins or try multiple etc…

So, this does mean that if you login from the same IP on 5 different devices which all need to enter a 2FA within 5 minutes, that after that you can’t login anymore, and need to wait for 5 minutes to try again.

1 Like

Does this work for the IP-account vaultwarden mapping?
For example: I have 50 users, they who log in from the same IP (NAT) in vaultwarden. User ( entered 10 times wrong password. Will only or all users get login restriction (5 minutes)?

It’s per IP. Nothing else is used to match it.
Else an attacker could just switch between multiple accounts if they know more accounts on a specific deployment exists.

1 Like